To protect a service from attacks which employ the parameters of a URL query string or parameters of the form POST parameters, use SECURITY POLICIES > Parameter Protection. Parameter Protection defends web applications from Parameter based attacks when parameter profiles aren't used.
Parameters that contain special characters may have SQL or html tagging expressions embedded in them. Embedded SQL keywords like "OR," "SELECT," or "UNION" in a parameter, or system commands such as "xp_cmdshell" can exploit web application vulnerabilities. These attack patterns can be configured in Parameter Protection, and compared to requests. If a parameter matches, the corresponding request is not processed.
Steps To Configure Parameter Protection
- Go to the SECURITY POLICIES > Parameter Protection page.
- Select the policy whose parameter protections settings you want to configure from the Policy Name drop-down list.
- In the Parameter Protection section, configure the following fields:
- Enable Parameter Protection – Select Yes to enforce parameter protection when Parameter Profiles are not used for validating the incoming requests.
- Values: Yes, No
- Recommended: Yes
- Denied Metacharacters – Specify disallowed meta-characters in parameters. Non-printable characters such as "backspace" and UI reserved characters like "?" should be URL encoded. Denied meta-characters help prevent SQL Injection and cross-site scripting attacks. Some specified meta-characters may be valid for some parameters, resulting in valid requests being blocked. The meta-character list should be appropriately tuned for specific parameters to avoid this problem. To add meta-characters, click the Edit icon enter disallowed values.
- Maximum Parameter Value Length – Specify the maximum allowed length of any parameter value, including no-name parameters.
- Range: 0 to 1073741824. Leave blank for "unlimited"
- Recommended: 1000
- Units: Bytes
- Maximum Instances – Enter the maximum number of times a parameter is allowed in a request. By default, the value is set to 1. Restricting this value to one (1) avoids a large class of HTTP Parameter pollution attacks and is recommended.
Base64 Decode Parameter Value– Set to Yes to apply base64 decoding to the parameter values. If the parameter value adheres to the Data URI Scheme, the base64 decoding is applied on the parameter value irrespective of Base64 Decode Parameter Value is set to Yes or No. If not, the base64 decoding is applied to the parameter value only when Base64 Decode Parameter Value is set to Yes. Once the decoding is successful, other parameter checks are enforced as per the policy settings.
Allowed File Upload Type– Select Extensions to allow the files uploaded with extensions specified in File Upload Extensions.
Select Mime Types to identify the content in the files before allowing to be uploaded with the mime types specified in File Upload Mime Types.
- File Upload Extensions – Specify the extensions of files which may be uploaded. '.' is a special extension allowing files with no extension, and '*' allows any extension.
- File Upload Mime Types– Specify the Mime types that are to be allowed as uploaded files. Use a "." to indicate a file with unknown mime type, and use a * to indicate any kind of mime type.
Max Upload File Size – Specify the maximum allowed size of individual files being uploaded.
- Range: 0 to 51200. Leave blank for "unlimited"
- Recommended: 1024
- Units: Kilobytes
Blocked Attack Types – Select the attack types that needs to be matched in the requests. Attack Types specify malicious patterns. Parameter values which match one of the specified Attack Types indicate an intrusion and are logged on the BASIC > Web Firewall Logs page.
Attack Types are defined by groups of Regular expression patterns. Attack Types for SQL Injection, cross-site scripting and System Command Injection attacks are provided by default, one or more of which can be enabled for comparison to request parameters.
- Custom Blocked Attack Types – Select the custom attack types that needs to be matched in the requests. For information on how to create custom blocked attack types, see Configuring User Defined Patterns.
- Exception Patterns – Enter patterns which should be allowed despite matching a malicious pattern group. Configure the exact "Pattern Name" displayed on the ADVANCED > View Internal Patterns page, or configured creating a "New Group"on the ADVANCED > Libraries page. The pattern name is also displayed in the Web Firewall Log when it is wrongly denied (a false positive). For example, if the parameter value matched "sql-comments" regex pattern under "sql-injection medium"on the ADVANCED > View Internal Patterns page, then add "sql-comments" to the list to allow "sql-comments" in future.
- Ignore Parameters – Specify parameters exempt from all validations. Use this to skip validations for especially large parameters that are automatically generated by servers, such as __VIEWSTATE. Since these parameters are auto-generated, they are less likely to be attacks, and therefore can safely be exempted from validation checks. Note: Ignore Parameter is an exact match; wildcard is not supported. So a value with "*" does not work like a wildcard. Examples: __VIEWSTATE, POSTBODY
- Click Save.